Professional Documents
Culture Documents
• Introduction
• Information Security is everyone’s responsibility
o Purpose:
o Scope:
• CloudFactory’s Information Security Principles
o Secure by Design
o Risk Based Approach to Security
o Defence in Depth
o Personnel Security
o Supply Chain Security
o Keep it Simple
o Accountability
o Operational Security
o Secure the Weakest Link
Introduction
CloudFactory is committed to properly protecting the information that it holds. Information
Security is the responsibility of every CloudFactory Core Worker and Cloud Worker. Everyone
MUST read, understand, implement and adhere to this policy and related standards, procedures
and processes.
The data and information stored and used in CloudFactory, both hard copy and electronic, are
one of CloudFactory’s most valuable assets. It is therefore essential that all information and data
that we handle is protected against the many threats that may impact workers, customer privacy
and overall service provision. These threats can range from accidental damage to the deliberate
disclosure of sensitive information.
The management of information and data currently uses many technical processes and
procedures to assist in preserving the confidentiality, integrity and availability of the information
and data held. However, these security measures can be weakened through careless actions such
as writing down or sharing a password.
• It sets out CloudFactory’s high level policy in relation to Information Security and
Assurance
• It lists the specific actions which CloudFactory is taking in order to meet each of the
specific policy objectives
• It sets out the guidance and procedures that apply for the secure operation of
CloudFactory’s applications and platform.
When taken together, these three points set out the standards which will be used to assure
workers and customers of the commitment to the security of CloudFactory’s information and
processing work streams.
CloudFactory’s Information Management principles state that we will “Be Secure”, specifically
that we will strive to be leaders in the security of our information, not only compliant but
proactively protecting ourselves from potential threats. We will achieve this by implementing
this policy and adhering to our Information Security Principles.
Purpose:
This Information Security Policy outlines our information security principles, goals and
objectives to ensure the confidentiality, integrity and availability of CloudFactory’s information
assets, thus protecting these assets from all threats whether internal, external, accidental or
deliberate. This policy will also provide direction and guidance to ensure the protection of
CloudFactory’s information assets by anyone handling our information.
Scope:
This policy is relevant to all of the CloudFactory’s information assets, including all
classifications (public, internal, private) and will apply to the storage, communication,
transmission, usage and destruction of these information assets. This policy applies to all
workers, contractors and third parties who access, develop, maintain, acquire or use any form of
CloudFactory’s information systems and/or information assets.
• Our approach to information security will be proportionate to and based on the risk
tolerance associated with our information assets and information systems.
Defence in Depth
Personnel Security
• All personnel whether CloudFactory workers or third party suppliers are required to
achieve and maintain the appropriate level of security awareness and training for the role
and for the access that they require to carry out that role.
• All third-party providers and any of their sub contracted suppliers, in relation to the
service provided, must conform to all necessary security standards.
Keep it Simple
Accountability
• It must be possible to hold users accountable for use of systems and access to information
assets.
• CloudFactory will monitor, record and periodically review logs to protect against threats
and unauthorised use of information systems and assets.
Operational Security
• Systems and services must be operated securely using processes and procedures that
ensure the operational security of all CloudFactory information systems.
• When designing security controls, we must consider the weakest part of the system and
ensure that is as secure as it needs to be.
• Systems must be maintained with up to date patching and security configurations. The
weakest link may change over time.
Please write your full name to acknowledge receipt of the Information Security Policy of
CloudFactory. By signing it, you acknowledge that you have read the Information Security
Policy, understand its content and agree to comply with it
Date: 2024-02-21
Sakar Shrestha
Email: sakar.shrestha03@es.cloudfactory.com
Page 1 of 1